Hybrid Exchange: What to Do When Mailboxes Auto-create When Assigning Licenses in O365

Recently, I ran across an interesting issue during an Exchange 2010 Hybrid deployment with Office 365. The environment already had an Office 365 tenant configured and was actively using it for Exchange Online Protection (EOP), however the environment was not being synced using AD Connect (DirSync) and Hybrid Exchange was not yet configured. Previously the user accounts were manually being created in the O365 tenant in order to use EOP. Upon setting up AD Connect and synchronizing the tenant with the on-premise Active Directory, all the accounts are syncing and appear to be receiving the correct attributes from the on-premise AD…. or so it would seem.

This is the screen you would expect to see under a user’s properties in the O365 Admin Portal after a license is assigned:

Figure 1 Expected 'Mail Settings' screen for a user when assigning a license in a Hybrid Exchange configuration

Instead we are seeing the following two screens, followed by an empty mailbox being created in the Exchange Online console:

Figure 2 Typically message would revert to what is displayed in Figure 1 after about 10min…

Figure 3 A mailbox was created in the Exchange Online environment. However, the actual mailbox is still on-premise

THE SOLUTION

The reason for this happening is related to the user account existing in the O365 tenant previously. Because the account existed when we ran AD Connect (DirSync), there were some attributes missed on the initial synchronization between the on-premise Active Directory and Azure AD. To resolve this, follow these simple steps.

Step 1 – Delete the mailbox created in Exchange Online

This is critical and should be done as soon as possible to avoid any interruption in mail delivery to the user. Be sure to check for any new mail that may have been delivered to the Exchange Online mailbox before removing it so you can extract it and import it in the user’s on-premise mailbox. You will need to remove any O365 licenses from the user as well.

Step 2 – Delete the user account in Office 365

In the O365 Admin Portal under the Users tab, locate the affected user account and ensure that all O365 licenses have been removed from the account, then delete the user. This will put the user account in the Deleted Users folder in the O365 Admin Portal.

This step will require that you connect to the O365 tenant via Azure remote PowerShell. Once connected through remote PowerShell, run the following command to view the deleted account in the Azure AD Recycling Bin (deleted users):

Get-MsolUser – ReturnDeletedUsers

Figure 6 Command returns list of deleted users

If multiple results are returned and you need to only delete the single affected user, run the following command:
Remove-MsolUser -userprincipalname USERNAME@DOMAIN.com -removefromrecyclebin -force

OR, if you want to remove all the deleted users from the Azure AD Recycling Bin run this command:
Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -removefromrecyclebin -force

Now if you run the first command again, the user account in question should be gone.

Step 4 – Force a full sync from AD Connect (DirSync)

Log on to your AD Connect server and open an administrative PowerShell then run the following two commands:
Import-Module ADSync

Start-ADSyncSyncCycle -PolicyType Initial

AD Connect should run a full synchronization and re-sync the account that was deleted, but this time with the correct attributes for Exchange Online.

Step 5 – Assign Exchange Online license and verify correct behavior

Once the synchronization is complete, login to the O365 portal and verify you are seeing the user account is showing up in the users list. Next assign the Exchange Online license to the user. After 5-10 minutes, you should see the following message under ‘Mail Settings’ for the user indicating that the user account has not yet been migrated to Office 365.

Figure 7 Expected message in a Hybrid Exchange setup

It is also a good idea to check in the Exchange Online console to ensure you are not seeing an empty mailbox has been created.

CONCLUSION

This issue can cause some major headaches when onboarding users to Office 365. However, following these simple steps should eliminate the problem quickly to get you back on track.

Travis has over 10 years of experience in the IT industry helping customers solve technical and business problems with technology. He has experience in a variety of roles including sales, web development, systems engineering and consulting. His experience in IT environments ranges anywhere from small-midsize business (SMB) to large enterprise.